Update: Authentication Cheat Sheet

[KadirArslan]

The current FIDO section only covers legacy UAF and U2F protocols.
I updated FIDO section to include FIDO2, WebAuthn, and Passkeys. They are commonly used techs nowadays. IMO we should cover in a small section.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #<REPLACE WITH ISSUE NUMBER>.

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

• I have NOT used any AI tool to generate the contents of this PR.
• I have used AI tools to generate the contents of this PR. I have verified
  the contents and I affirm the results. The LLM used is [llm name and version]
  and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you again for your contribution 😃

[szh]

"biometric data or device locks" - biometric isn't always included, and I'm not sure what device locks mean. Can this be clarified please?
Also "synchronizing across devices" is not always present IIRC.

[KadirArslan]

@szh

Instead of "biometric data or device locks," I changed the term "local user verification," the general security mechanism required by FIDO. This term could be, as you mentioned, face/touch id (biometrics) or your phone or computers PIN (device lock).

"Synchronizing across devices" is not mandatory, but it is a very popular feature. Therefore, I simply say that this feature is generally supported. (Cloud-based credential managers like Apple Keychain provide this synchronization.)

Changed the text to be more clear and understandable.

Thank you! :)

[jmanico]

CTAP2 is the protocol between the client (browser/OS) and the authenticator, which may be:

1. a platform authenticator (Secure Enclave, TPM, Android StrongBox), or
2. a roaming hardware authenticator (YubiKey, Feitian, Titan, etc.)

WebAuthn and CTAP2 roles work together:

1. WebAuthn is the browser–to–web application API that allows a site to create and use public-key credentials for registration and authentication assertions.
2. CTAP2 is the protocol used by the browser/OS to communicate with the cryptographic authenticator (platform or roaming) that performs user verification and signs challenges.

You may want to explicitly mention that together they constitute FIDO2.